From bc631e6361b3b7f5229e2d2d287008cee27e838c Mon Sep 17 00:00:00 2001 From: Kyle Carberry Date: Thu, 20 Jun 2024 19:48:02 +0000 Subject: [PATCH 1/2] fix: allow coder.com in CSP if telemetry is enabled --- coderd/coderd.go | 2 +- coderd/httpmw/csp.go | 7 ++++++- coderd/httpmw/csp_test.go | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/coderd/coderd.go b/coderd/coderd.go index 6de169cce71b7..cca4faf36a203 100644 --- a/coderd/coderd.go +++ b/coderd/coderd.go @@ -1210,7 +1210,7 @@ func New(options *Options) *API { // Add CSP headers to all static assets and pages. CSP headers only affect // browsers, so these don't make sense on api routes. - cspMW := httpmw.CSPHeaders(func() []string { + cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string { if api.DeploymentValues.Dangerous.AllowAllCors { // In this mode, allow all external requests return []string{"*"} diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go index fde5c62d8bd6f..b0b2edf2442cd 100644 --- a/coderd/httpmw/csp.go +++ b/coderd/httpmw/csp.go @@ -43,7 +43,7 @@ const ( // CSPHeaders returns a middleware that sets the Content-Security-Policy header // for coderd. It takes a function that allows adding supported external websocket // hosts. This is primarily to support the terminal connecting to a workspace proxy. -func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler { +func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Content-Security-Policy disables loading certain content types and can prevent XSS injections. @@ -83,6 +83,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han // "require-trusted-types-for" : []string{"'script'"}, } + if telemetry { + // If telemetry is enabled, we report to coder.com. + cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com") + } + // This extra connect-src addition is required to support old webkit // based browsers (Safari). // See issue: https://github.com/w3c/webappsec-csp/issues/7 diff --git a/coderd/httpmw/csp_test.go b/coderd/httpmw/csp_test.go index 2dca209faa5c3..d389d778eeba6 100644 --- a/coderd/httpmw/csp_test.go +++ b/coderd/httpmw/csp_test.go @@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) { r := httptest.NewRequest(http.MethodGet, "/", nil) rw := httptest.NewRecorder() - httpmw.CSPHeaders(func() []string { + httpmw.CSPHeaders(false, func() []string { return expected })(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { rw.WriteHeader(http.StatusOK) From 3a79663d1de55db63a140d53b418426088e13339 Mon Sep 17 00:00:00 2001 From: Kyle Carberry Date: Thu, 20 Jun 2024 19:55:26 +0000 Subject: [PATCH 2/2] Fix control couple lint --- coderd/httpmw/csp.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go index b0b2edf2442cd..0862a0cd7cb2a 100644 --- a/coderd/httpmw/csp.go +++ b/coderd/httpmw/csp.go @@ -43,6 +43,8 @@ const ( // CSPHeaders returns a middleware that sets the Content-Security-Policy header // for coderd. It takes a function that allows adding supported external websocket // hosts. This is primarily to support the terminal connecting to a workspace proxy. +// +//nolint:revive func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {